Open Source Security Foundation
Image: Open Source Security Foundation

Solving open-source security, with bureaucracy

Protocol Enterprise

Welcome to Protocol Cloud, your comprehensive roundup of everything you need to know about the week in cloud and enterprise software. This week: A new open-source security foundation emerges to fortify what's become critical infrastructure, how cloud providers handled the worst economic quarter in generations, and AWS picks up a couple of financial services deals.

The Big Story

Securing the foundation

As open-source software has become a ubiquitous building block for building a business on the internet, end users have started to worry more and more about security: because who, exactly, is responsible for keeping things secure? In theory, open-source software should be helping to allay those fears; it's notionally more secure than proprietary software because there are so many people involved who can spot flaws and bugs. But as with many things, it's more complicated in practice.

Enter the new Open Source Security Foundation, introduced this week by the Linux Foundation as a combination of two previous projects aimed at shoring up the security of open-source software.

  • The basic idea behind the foundation is that "security researchers need a mechanism to allow them to collaboratively to address methods needed to secure the open source security supply chain," it said in a FAQ on its launch website.
  • As cloud services make it easier to use parts of different open-source software projects to build their own software, companies have increasingly started to worry about the security of their "supply chains."
  • Complicating matters: Lots of newer open-source projects depend on older projects, which can create cascading failures.
  • The new group hopes to prevent a repeat of the OpenSSL/Heartbleed disaster in 2014, during which a huge flaw in a widely used piece of open-source software left a large number of the world's web servers — 20% of them, by some estimates — vulnerable to attacks.

Several cloud and enterprise software companies pledged support for the new group Monday — with one notable exception.

  • Microsoft/GitHub, Google, and IBM/Red Hat are inaugural members, along with open-source end user JPMorgan Chase.
  • AWS, however, is not. (Though the cloud leader is a member of the Core Infrastructure Initiative, which was created a month after the discovery of the Heartbleed flaw to tackle many of these same issues, and which will work with the new organization before dissolving over time.)
  • Still, it wouldn't be a foundation without vendor politics: It's fair to say AWS has had a rocky relationship with the open-source community over the last decade, although it has significantly elevated its participation and contributions to open-source software over the last few years.

The main impetus behind the foundation is prioritization: There are thousands of open-source projects in use in the software that runs the internet, and the OpenSSF will work together to decide which projects are the most critical and therefore most worthy of scrutiny.

  • Generally speaking, engineers like to work on the shiny new stuff, which means that a disproportionate amount of attention is often paid to promising new projects at the expense of well-understood projects that play a critical infrastructure role.
  • Several widely used projects, identified in a February 2020 report commissioned by the Linux Foundation and Harvard University, show years-long gaps in contributions of new code, as well as a gradual decline in contributions over time.
  • The OpenSSF will be able to marshal the resources of its participants and devote them toward those critical projects, which may otherwise languish.

Industry associations are probably the only solution to the problems faced by the modern open-source ecosystem, with all its complex moving parts. It's also another sign that open-source software has truly conquered the enterprise software world, and that the health of that software plays a larger role in the health of the modern tech industry than many people realize.

  • And once again, the new group puts the Linux Foundation in the middle of some of the most powerful companies and customers in this space. That's a very interesting position.

Read more from Philips


In the face of COVID-19, many healthcare providers turned to remote patient monitoring and virtual visits to continue caring for vulnerable patients while minimizing risk of virus transmissions and reducing the strain on scarce hospital resources. At Philips, we're pioneering stronger care networks with technologies we've spent decade innovating - and we believe our homes are destined to play a central role in the healthcare system of the future.

Read more.

This Week In Protocol

Cloud cover: The U.S. economy appears to be on a precipice. But you wouldn't know it from the results of the major cloud providers, who saw some modest slowdowns in growth during the second quarter but still posted healthy results that indicate this sector could recover faster than most from this period of history.

Game on: Is this the moment for cloud gaming? Microsoft is expanding its xCloud gaming service to Android users in 22 countries, and our new gaming reporter Seth Schiesel took a look at how Microsoft will use its cloud data centers to accommodate a very different type of workload.

TikTok shock: Speaking of a very different type of workload, what exactly is Microsoft — whose tech turnaround story is one for the ages, thanks to its laser focus on cloud and enterprise software — thinking with its pursuit of TikTok? David Pierce unpacked its motivations in Monday's Source Code, correctly calling it "a legacy-defining moment" for Microsoft CEO Satya Nadella if a deal goes down.

Five Questions For...

Alfred Chuang, Race Capital

What was your first tech job?

After graduating from my master's at UC Davis, I felt so lucky that I landed my dream job as an engineer working for Sun Microsystems. Sun was the Google of its day. It is harder to get a job at Sun than getting into Harvard. I was excited to be part of this rocket ship and experienced the most extraordinary growth at the time.

What's the best piece of advice you could give to someone starting their first tech job?

Drawing from my own experience, my three [pieces of advice] for anyone starting their first tech job are:

  • Learn everything
  • Be interested in all aspects of the business
  • Take initiative and build a reputation for yourself

What has changed the most at your company over the past several months?

COVID-19 is the biggest accelerator of change for education, health care, future of work, fintech, among many other industries. Even though this crisis makes the near future seem bleak, I am optimistic about the new world and the new companies of tomorrow. I am even more excited about our ability to change as a human race and how this crisis and technology are speeding up the way we live. Essentials like telemedicine are finally seeing the light of day.

What was the biggest reason for the success of cloud computing over the past decade?

The biggest reason for the cloud's success is its flexibility and agility. Cloud computing has drastically lowered the barrier to entry for software systems development. Building a software company today cost a fraction of what it used to be. Workers are no longer chained to their desks; thanks to the cloud they can now access data and files from wherever they are at any time. The recent surge in WFH would not have been possible if it was not for the cloud. We can all agree it has been a massive success.

What will be the biggest challenge for cloud computing over the coming decade?

The biggest challenge facing cloud computing is security and data privacy. While the centralization and access to that data has been the biggest reason for its success, it also poses the biggest risk. There have been multiple high-profile cloud breaches in the past 12 months. As you transfer sensitive data from your computer to a third party, you need to ensure you can trust the third party hosting the data.

Around the Cloud

Thanks for reading — see you next week.

Recent Issues